Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Passing variable to PHP query

9:18 pm on Sep 10, 2012 (gmt 0)

New User

joined:Sept 10, 2012
posts: 3
votes: 0

Hi all

Newbie here so please be gentle.

Im sure this question has been asked 1,000's of times but I am really struggling being new to PHP & mysql and using code copied from a book.

All I want to is pass a variable from a url to a mysql query:


id is the variable i want to pass to the SELECT command in caravan_details.php

I have the follwing in for_sale.php:

echo '<a class="caravan-moredetails" href="caravan_details.php?id=' .$row['id']. '">More information &raquo;</a>';

I want to pass id as an integer variable to caravan_details.php and im using the following SELECT query:

$id = $_GET['id']
$result = @mysql_query("SELECT * FROM caravans WHERE id='$id'");

I want to pass the variable direct from the URL, not using a form


Thank you :)
9:26 pm on Sept 10, 2012 (gmt 0)

New User

joined:Sept 10, 2012
posts: 3
votes: 0

I should add, i dont get an error message when the script runs, I just dont get any records returned
9:39 pm on Sept 10, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
votes: 0

What code does the for_sale.php generate (view source in a browser) - is the number in there ?
-> if not: that's where you need to look at. E.g. do you have a column "id" (or did you name something id in the select statement)?

If that works, did you try to call
caravan_details.php?id=1 (presuming there's such a record in your database)

For the rest: I'd be extremely careful with this type of code: you really need to do strong input validation. Just image somebody would call is with a parameter containing 1';drop table caravans;' -> yeah: bye bye table.

For the rest:
- use the mysqli interface (note the i), not the mysql one (it is obsolete).
- use prepared statements (much easier to secure).

Depending on context:
- htmlencode your output to prevent problems with quotes, and tags (or at least xmlencode the 5 allowed entities.
- urlencoding might be needed as well.

Unfortunately 99% of books and tutorials do not teach security along with it all, leaving you extremely vulnerable - remmebr that the examples you rely on are very insecure and need a lot of work to become secure.
2:35 pm on Sept 11, 2012 (gmt 0)

New User

joined:Sept 10, 2012
posts: 3
votes: 0

Thanks SAW66

At the moment, this is only running on my home PC and is a development site to help me get back into things so security, currently, is no real concern although thanks for the pointers and im sure they will come in handy soon!

With regards to the other bits, for_sale.php generates a basic list of all rows in table caravans and displays them on the page in id number order therefore the id field is already requested from the database when for_sale.php is loaded. It is then passed to caravan_details.php (a more detailed listing of whichever table row is selected) using the code in my first post.

Whilst the output is formatted almost correctly, no values appear in the fields as id is not being picked up from caravanid (or selected from the db correctly).

Hope that makes sense........?

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members